Sophos Update – Petrwrap/PetyaWrap

Petrwrap/PetyaWrap seems to be very similar to a less prevalent variant of ransomware that was seen last year, called GoldenEye. Specifically, they both vary slightly to other more common ransomware, in that they target the master boot record of the OS rather than individual files. This renders the machine fairly useless – requiring a rebuild, as opposed to file encrypting ransomware where the victim could simply choose to live without their data or recover from backup.

Below is a screenshot of a machine infected with Petrwrap/PetyaWrap. As yet, a fix for infected machines is unknown, and so prevention is better than cure:

The good news is that customers using (up to date) Sophos Endpoint Protection are protected against all known variants of this ransomware. We first issued protection on June 27th at 13:50 UTC and have provided several updates since then to provide further protection against possible future variants.

In addition, customers using Sophos Intercept X / EXP were proactively protected with no data encrypted, from the moment this new ransomware variant appeared. Intercept X / EXP customers may need to take further steps to reboot an infected computer, post cleanup.

About Blue Cube

The Blue Cube ethos is to offer fully independent and accurate advice providing the expertise, technology and management skills to help identify where to protect, what to protect and how to protect corporate IT resources and enable secure access for authorised users.